diff --git a/iptables/defaults/main.yml b/iptables/defaults/main.yml index 596233ab..9da4e534 100644 --- a/iptables/defaults/main.yml +++ b/iptables/defaults/main.yml @@ -16,16 +16,16 @@ #https_allowed_hosts: # - 0.0.0.0/0 # -# Generic tcp and udp access +# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT' # iptables: # tcp_rules: True # tcp: -# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] } -# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] } +# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] } +# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] } # - { port: '80' } # udp_rules: True # udp: -# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] } +# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] } # munin_server: # - 146.48.122.15 @@ -47,6 +47,8 @@ iptables_nat_interfaces: iptables_input_default_policy: '{{ iptables_default_policy }}' iptables_forward_default_policy: '{{ iptables_default_policy }}' iptables_banned_default_policy: DROP +iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited' +iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited' ganglia_enabled: False nagios_enabled: False iptables_open_all_to_isti_nets: False diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2 index 1b67fad0..436dcc05 100644 --- a/iptables/templates/iptables-rules.v4.j2 +++ b/iptables/templates/iptables-rules.v4.j2 @@ -30,6 +30,7 @@ {% for ip in iptables_ssh_allowed_hosts %} -A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited {% endif %} {% else %} # ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses @@ -52,20 +53,30 @@ {% for ip in http_allowed_hosts %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited {% else %} -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT {% endif %} {% endif %} + {% if https_port is defined %} # https {% if https_allowed_hosts is defined %} {% for ip in https_allowed_hosts %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited +{% else %} +{% if https_managed_hosts is defined %} +{% for rule in https_managed_hosts %} +-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }} +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }} {% else %} -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT {% endif %} {% endif %} +{% endif %} {% if psql_firewall_enabled %} {% if psql_db_port is defined %} {% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %} @@ -105,6 +116,8 @@ {% endif %} -A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited {% else %} {% if not openldap_slapd_ssl_only %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT @@ -140,6 +153,7 @@ -A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT -A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j REJECT --reject-with icmp-host-prohibited {% endif %} {% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %} # Someone still uses ftp @@ -151,6 +165,9 @@ -A INPUT -m helper --helper ftp -j ACCEPT {% endif %} {% endif %} +# +# TODO: add the rules that block traffic from now on +# {% if nagios_enabled is defined %} {% if nagios_enabled %} {% if nagios_monitoring_server_ip is defined %} @@ -160,6 +177,8 @@ # Check ntp from the nagios server -A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited {% endif %} {% endif %} {% endif %} @@ -170,6 +189,7 @@ {% for ip in munin_server %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited {% endif %} {% endif %} {% endif %} @@ -192,6 +212,7 @@ {% for ip in prometheus_servers_ip %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT {% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited {% else %} -A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT {% endif %} @@ -224,6 +245,7 @@ # These are only needed on the machines that act as relay servers # -A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT +-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT {% if postfix_use_relay_host is defined and postfix_use_relay_host %} -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT @@ -253,15 +275,15 @@ {% if tcp_rule.allowed_hosts is defined %} {% for ip in tcp_rule.allowed_hosts %} {% if ip is string %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} {% else %} {% for ip_really in ip %} --A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT +-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} {% endfor %} {% endif %} {% endfor %} {% else %} --A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j ACCEPT +-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} {% endif %} {% endfor %} {% endif %} @@ -271,15 +293,15 @@ {% if udp_rule.allowed_hosts is defined %} {% for ip in udp_rule.allowed_hosts %} {% if ip is string %} --A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT +-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} {% else %} {% for ip_really in ip %} --A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT +-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} {% endfor %} {% endif %} {% endfor %} {% else %} --A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT +-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} {% endif %} {% endfor %} {% endif %} @@ -291,6 +313,14 @@ {% endfor %} {% endfor %} {% endif %} +{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %} +# ANY rules +{% for any_rule in iptables.any %} +{% for rule in any_rule.allowed_hosts %} +-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }} +{% endfor %} +{% endfor %} +{% endif %} # End of the custom rules {% endif %} {% if keepalived_enabled is defined and keepalived_enabled %}